Home page logo
/

nanog logo nanog mailing list archives

Re: weird BGP cisco-ism? [problem resolved]
From: Chris Garner <cgarner () sni net>
Date: Fri, 11 Jul 1997 23:02:45 -0600 (MDT)




     The problem with tagging everything a BGP customer passes to
you with the "export it" tag is that customers have been known to export
routes they shouldn't.  The ACL provides a sanity check without costing
much (if you've already got the database/distribution tools built).

that's why you build customer ingress filters based on IRR info, as i've 
mentioned several times now....

-danny




        Dawn breaks....I missed that, but rereading your earlier
messages I get it.  So we agree that everyone should have an ACL
somewhere between the customer and any exterior connection.  You are
saying that building egress ACLs that include the routes from all the
ingress filters doesn't scale.  

        If you've got them built off a database of some sort (internal,
IRR, whatever) building and keeping them consistent should be straightforward.
So any scaling problems are related to CPU/memory/BGP slowdown due to
the size of the lists or to propagation delay of changes (waiting for database
updates to propagate out).

        Does anyone know how large an ACL can be before it causes
performance problems?  My egress filters are in the hundreds of lines -
does anyone run ciscos with 1000 line distribute-lists in BGP?  10K lines?

        Without the egress ACLs you still aren't protected if you forget
to add an ingress ACL or have some bogus route you've generated internally.
And I've seen both of those happen to NSPs.  If you've got ingress and
egress filters you do have better protection.

        I guess I'm just paranoid about routing information, so I filter
at every access point.

-- 

                                -Chris (cgarner () sni net)



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]